Re: [DNSOP] Call for Adoption: draft-kh-dnsop-7706bis

"Paul Hoffman" <> Wed, 25 July 2018 00:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D6E34130E2E for <>; Tue, 24 Jul 2018 17:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zTGYvzsOcDro for <>; Tue, 24 Jul 2018 17:08:22 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4F189130E04 for <>; Tue, 24 Jul 2018 17:08:22 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id w6P082aN046638 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 24 Jul 2018 17:08:06 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: Paul Hoffman <>
To: Paul Wouters <>
Cc: dnsop <>
Date: Tue, 24 Jul 2018 17:08:16 -0700
X-Mailer: MailMate (1.11.3r5509)
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <>
Subject: Re: [DNSOP] Call for Adoption: draft-kh-dnsop-7706bis
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Jul 2018 00:08:25 -0000

On 24 Jul 2018, at 10:35, Paul Wouters wrote:

> While I agree with the goal of the draft, to keep root server queries 
> on
> the local host, I don't like how it is suggesting to run a DNS server 
> on
> localhost:53, because that is going to cause problems with running
> validating resolvers on the stub. There is already enough racy
> conditions on systems with virtual machines and running dhcp/dns 
> servers
> for those that are racing to own

If you find a place where the draft is suggesting that, please let us 
know: it should not be doing that. That's why the draft explicitly 

. . .
    2.  Start the authoritative server with the root zone on an address
        on the host that is not in use.  For IPv4, this could be, but if that address is in use, any address in 127/8 
        acceptable.  For IPv6, this would be ::1.
. . .
    The examples here use a loopback address of, but 
    installations will use  The different address is used in
    order to emphasize that the root server does not need to be on the
    device at the name "localhost" which is often locally served as
. . .

> But again, having a well integrated method for slaving the root zone 
> on
> a local validating stub resolver is something that everyone should do
> (along with query minimalization)

Hopefully, that's a recommendation for adoption of the draft.

--Paul Hoffman